Share on facebook
Share on twitter

3 Steps to Setup auto renew for Let’s Encrypt SSL Certificates(Apache)

In this  tutorial, I will show you how to renew your Let’s Encrypt certificates automatically on Apache  server. After this You don’t need to renew your letsencrypt SSL certificates manually. If you’re using a Nginx Server then follow this tutorial here.

How to auto renew Let’s encrypt Certificates ?

Letsencrypt auto renewal set up process is a very easy and simple one, you just need to set up a cron job to automatically renew your certificates. But if I only show you the cron job part, later you may face some problems. That is why in this tutorial, you will find 3 steps which let you to set up a perfect auto renewal for your Let’s Encrypt SSL Certificate. So, Let’s get started

Want Exclusive Tutorials?


  • Before getting started with this tutorial, you should have Installed Let’s Encrypt SSL certificates on your Apache or Nginx server. If you not done that yet then follow this tutorial here(I am working on it).
  • Running  any Linux system with sudo or root privileges shell access.

There are lot of ACME client available for letsencrypt certificate installation but for simplicity we used Certbot.

Let’s get started,

Step 1: Determining Certbot type

It is very important to find out which type of Certbot you are using  at the time of  Letsencrypt SSL certificate installation. This is necessary because later you have to put different command in cron script, base on Certbot type.  There are two ways to install Certbot on a Linux server.

a) Using wget  :  As per certbot officials website this method is use for Debian 8, CentOS 6, RHEL 6, Ubuntu (>>16.04) version of Linux. If you used wget method  then you already have  a ‘certbot-auto’ directory in your server. Later we’ll need the location of that directory. Generally people download the certbot-auto in /usr/local/bin/certbot-auto directory. You may have downloaded it at /etc/letsencrypt or somewhere else.

If you forgot or delete it then execute the following lines from  SSH shell terminal.

sudo mv certbot-auto /etc/letsencrypt/certbot-auto
sudo chown root /etc/letsencrypt/certbot-auto
sudo chmod 0755 /etc/letsencrypt/certbot-auto

b) Installed from Linux repository : If you installed certbot using command like this

#For CentOS 7 or up
sudo yum install certbot python2-certbot-apache
#For Debian 9 or up and Ubuntu 16.04 up
sudo apt-get install certbot python-certbot-apache

Then it means that you installed certbot from Linux repository.


Step 2 : Renewing Letsencrypt certificates Automatically

In this step we will setup letsencrypt auto renew using Cron. The cron is a software utility, offered by Linux-like operating system which automates the scheduled task at a predetermined time. It is a daemon process, which runs as a background process and performs the specified operations at the predefined time when a certain event or condition is triggered without the intervention of a user. We are going to setup a scheduled task to execute certbot renew command at every weekend. Certbot renew command attempts to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt. Since renew only renews certificates that are near expiry it can be run as frequently as you want – since it will usually take no action. So, let’s  open crontab by executing following line on your Linux terminal.
sudo crontab -e
We have to use Root user crontab that is why we’re using sudo command. Only root user have the permission to execute certbot renew command. If you are wondering what is crontab then let me explain it to you, Crontab (cron table) is a just list of cron jobs which you may want to run on a schedule time.

You may be asked to select an editor. Select Nano or  /bin/nano if it’s available by typing its number and pressing Enter. Vi and other more advanced editors may be preferred by advanced users, but Nano is an easy editor to get started with.

Use the arrow keys or the page down key to scroll to the bottom of the crontab file in Nano. The lines starting with # are comment lines, which means that cron ignores them. Now paste or type the following line according to your certbot type and Linux version. This code will run on every weekend at 3.00 am. When your letsencrypt SSL certificate left less than  30 days, the certbot renew command will renew you letsencrypt cert automatically.

For those, who use wget 

For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:
* 3 * * 6 cd /path/location && ./certbot-auto renew && /etc/init.d/apache2 restart
For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:
* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart apache2.service
For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands
* 3 * * 6 cd /path/location && ./certbot-auto renew && service httpd restart
For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands
* 3 * * 6 cd /path/location && ./certbot-auto renew && systemctl restart httpd.service

For those, who Installed Certbot from Linux repository :

For, Debian Linux version 7.x or Ubuntu Linux version Ubuntu 14.10 or older:

* 3 * * 6 certbot renew && /etc/init.d/apache2 restart

For, Debian Linux version 8.x+ or Ubuntu Linux version Ubuntu 15.04+ or above:

* 3 * * 6 certbot renew && systemctl restart apache2.service

For, CentOS/RHEL (Red Hat) Linux version 4.x/5.x/6.x or older specific commands

* 3 * * 6 certbot renew && service httpd restart

For, CentOS/RHEL (Red Hat) Linux version 7.x or newer specific commands

* 3 * * 6 cd certbot renew && systemctl restart httpd.service

Saving the File

Now, Press Ctrl-O and press Enter to save the crontab file in Nano. Use the Ctrl-X shortcut to close Nano after you’ve saved the file.

Step 3: Letsencrypt Auto Renew Testing:

Though this part is optional but I recommand you to test your auto-renew cron script for errors. It will be a disaster if your Letsencrypt Certificate does not renew before expire due to some error. 

Basic Testing using --dry-run:

For error checking we’ll  perform certbot renew --dry-run or path/location/certbot-auto renew --dry-run ——- a process in which the auto-renew script will be executed without actually renewing the certificates.

Execute the following lines on your Linux terminal,

For those, who use wget 

sudo -i 
cd /path/location && ./certbot-auto renew --dry-run && apache-restart-command

For those, who Installed Certbot from Linux repository :

sudo -i 
certbot renew --dry-run && apache-restart-command

Advance testing using --force-renew

In this advance testing section we’ll  simulate the letsencrypt  auto certificate renewal process by using –force-renew command. As you already know that the certbot renew command only take action if your certificate has less than 30 days. But if we use it with “–force-renew” command then your certificate get renewed immediately. Remember that, you only can renew 5 certificates per week for a particular domain or subdomain.

1. Note the date of your current certificate

To view the current expire date of your let’s encrypt certificate, execute the following command on your terminal.

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem

Take note of the date and time when the certificate was issued – either paste it into notepad or write it down on a piece of paper.

2. Creating A Cron job

In this step we’ll create a cron job which will get executed after 6 minutes.

Execute the “date” command to know the current time  of your Linux server.

In this example my Linux server  time  showed 17:38:05. So, Let’s create a cron job at 17:44 (17:38 plus 6 minutes).

44 17 * * * cd /etc/letsencrypt/ && ./certbot-auto renew --force-renew && /etc/init.d/apache2 restart

Don’t forget to change the time and Apache restart command(as per as your Linux version).

3. Syslog log Checking

After the time at the front of the script has passed (17:44 in this example), check your system log to verify that the script has executed successfully.

To view the system log execute this command,

cat /var/log/syslog

If  the cron script appear in syslog then follow the next step, if not then wait few minutes and reopen the syslog.

4. Check if renewal was successful

Now, Lets again check the let’s encrypt certificate’s expire date,

sudo openssl x509 -noout -dates -in /etc/letsencrypt/live/your-domain-name/fullchain.pem

Now, compare the noted expiry date with the current expire date, if you are seeing any changes then you don’t have any error in your auto renewal script. If not then feel free to drop a comment in the below comment section.

Lastly don’t forgot to revert crontab script to default. 

Now it is your time!

I tried my best to provide you a complete tutorial on how to renew your letsencrypt SSL Certificate automatically. I hope you liked it.

If you need help just drop a comment.

If you benefited from this tutorial, and would like to support my work, please like my Facebook page.


4 thoughts on “3 Steps to Setup auto renew for Let’s Encrypt SSL Certificates(Apache)”

  1. Thank you very much for this wonderful tutorial!
    But I am just wondering which type of Certbot is better of Let’s Encrypt installation.

    1. Hi Joe,

      Thanks for your feedback – I’m glad you found the tutorial helpful!
      There is no difference between these two types of Certbot. Both are the official versions and can perfectly install Let’s Encrypt SSL certificate.

  2. Great work! This is the kind of info that should be
    shared across the web. Shame on the search engines for now
    not positioning this submit upper! Come on over and talk over
    with my website . Thank you =)

  3. Great Tutorial. I like it
    but I have the question that when I do the step 3, there are some problem to me.
    First I check the cur time let say 15:08:00 HKT
    I changed the crontab to
    15 15 * * * certbot renew –force-renew && systemctl restart apache2.service
    After it is 15:15,
    I check cat /var/log/syslog and it output
    (root) CMD (certbot renew –force-renew && systemctl restart apache2.service)

    However, when I checked my cert due date with using
    openssl x509 -noout -dates -in /etc/letsencrypt/live/my-domain-name/cert.pem
    it doesnt change. do you know the what is the problem???

Leave a Comment

Your email address will not be published. Required fields are marked *